Antispam and antimalware permissions

Learn about permissions that are required to manage anti-spam and anti-malware in Exchange Server 2016.

The permissions required to perform tasks related to anti-spam and anti-malware vary depending on the procedure being performed or the cmdlet you want to run. For more information about transport features, see Mail flow and the transport pipeline.

This topic lists the permissions required to manage the mail flow features in Microsoft Exchange Server 2016.

To find out what permissions you need to perform the procedure or run the cmdlet, do the following:

In the table below, find the feature that is most related to the procedure you want to perform or the cmdlet you want to run.

Next, look at the permissions required for the feature. You must be assigned one of those role groups, an equivalent custom role group, or an equivalent management role. You can also click on a role group to see its management roles. If a feature lists more than one role group, you only need to be assigned one of the role groups to use the feature. For more information about role groups and management roles, see Understanding Role Based Access Control.

Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups or management roles assigned to you to see if you have the permissions that are necessary to manage the feature.

Note:

You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your Exchange administrator to retrieve the role groups or management roles assigned to you.

Some features that you want to manage might exist on Edge Transport servers. To manage features on Edge Transport servers, you need to become a member of the Local Administrators group on the Edge Transport server you want to manage. Edge Transport servers don't use Role Based Access Control (RBAC). Features that can be managed on Edge Transport servers have Edge Transport Local Administrator in the "Permissions required" column in the table below.

Note:

Some features may require that you have local administrator permissions on the server you want to manage. To manage these features, you must be a member of the Local Administrators group on that server.